CiviCRM Versions 5.10.2 and earlier
CiviCRM Version 5.10.3 and 5.7.4
The "Currency" element of a new pledge was not properly validated, which could potentially lead to a cross-site scripting attack.
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace for reporting and fixing the issue